b'        U.S. Department of Energy\n        Office of Inspector General\n        Office of Audit Services\n\n\n\n\nSpecial Report\n\nThe Department\'s Unclassified\nForeign Visits and Assignments\nProgram\n\n\n\n\nDOE/IG-0791                           March 2008\n\x0c                               Department of Energy\n                                 Washington, DC 2 0 5 8 5\n\n                                    March 2 4 , 2008\n\n\nMEMORANDUM FOR THB SECREIARY\n\nFROM:\n                         Inspector General\n\nSUBJECT:                 INFORMATION: Special Report on "The Department\'s\n                         Unclassified Foreign Visits and Assignments Progran~"\n\nBACKGROUND\n\nThe Department of Energy\'s national laboratories and various Federal officials interact\nwith thousands of foreign national visitors and assignees every year. Visits and\nassignments are for a variety of purposes, including research collaborations and acccss to\nscientific user facilities. While the Department reports that these interactions stimulate\nideas and foster research, they also carry inherent security risks. The Office of Foreign\nVisits and Assignments and the Office of Intelligence and Counterintelligence help the\nDepartment ensure that security risks are addressed while fostering collaboration with\nforeign nationals.\n\nIn our report on The Depurhnetlt\'s Utlclussijied Foreigt~Visits utld Assignmerzts Progrum\n(DOEIIG-0579, December 2002), we observed that the Department had not adequately\ncontrolled unclassified visits and assignments by foreign nationals. That audit identified\nissues such as admitting visitors prior to receiving required approvals, not completing\nbackground checks, and neglecting to enter appropriate and accurate infornlation into the\nDepartment\'s Foreign Access Central Tracking Systcm (FACTS). Management agreed to\ntake corrective action and has since issued a new Department order to govern these\nactivities. Due to the sensitivity of the program and the potential for harm, we initiated\nthis review to determine whethcr thc Department had improved the management of its\nForeign Visits and Assignments Program.\n\nOBSERVATIONS AND CONCLUSIONS\n\nThe Department had addressed several previously reported issues. Additional and\ncontinuing weaknesses, however, diminished the effectivcncss of controls designed to\nreduce the security risk associated with foreign visits and assignments. In particular,\nhosts for foreign nationals individuals responsible for the day-to-day management and\n                           -\n\n\n\nsecurity associated with visits or assignments had not ensured that a number of\n                                               -\n\n\n\nprotective measures were implemented. For example, certain hosts did not always:\n\n       Take action to ensure that site or facility access was terminated when the foreign\n       nationals completed visits or assignments. In one extreme case, we found that a\n       visitor, whose assignment had been revoked, did not have his access authorization\n       cancelled and was able to cnter the former host facility after normal operating\n       hours without being discovered;\n\x0c                                               2\n\n\n      \xe2\x80\xa2   Familiarize themselves with or enforce specific security plans \xe2\x80\x93 plans designed to\n          restrict movements, activities and/or access \xe2\x80\x93 for visitors they were assigned to\n          host from sensitive countries such as China and India;\n\n      \xe2\x80\xa2   Verify the identity and validity of foreign nationals\' immigration status\n          information prior to or periodically during assignments or visits as required for\n          off-site visits; and,\n\n      \xe2\x80\xa2   Ensure that required counterintelligence reviews were conducted prior to\n          permitting foreign nationals to access sensitive information systems and data.\n\nWe also identified a significant and continuing problem with the maintenance and\naccuracy of FACTS that detracted from the Department\'s ability to track the immigration\nstatus or other factors for its many foreign visitors and assignees. Specifically:\n\n      \xe2\x80\xa2   For 104 of the 188 (approximately 55 percent) randomly selected FACTS visits or\n          assignments we reviewed, tracking information was not properly entered,\n          contained errors, or was not up-to-date.\n\nWhen viewed collectively, these problems or programmatic shortcomings caused us to\nconclude that security risks associated with the Department\'s Foreign Visits and\nAssignments Program remain higher than necessary. Contractor operated laboratories\nhad not ensured that hosts were cognizant of their responsibilities and were performing\nthem properly. Those laboratories and the Office of Foreign Visits and Assignments also\nhad not taken sufficient steps to ensure that data in the FACTS was reliable. Problems\nwith recordkeeping and tracking could limit the Department\'s ability to provide accurate\nand/or complete foreign national information to law enforcement agencies.\n\nTo its credit, the Department had addressed a previously identified issue \xe2\x80\x93 ensuring that\nforeign nationals had current passports and visas for on-site visits and assignments. Yet,\nwe concluded that more needs to be done to reduce the risk that individuals harboring\nmalicious intent could access sensitive information or damage facilities. Thus, the\nattached report includes several recommendations designed to address the problems noted\nin our review.\n\nWe also noted another matter for consideration pertaining to cyber access controls at one\nNational Nuclear Security Administration (NNSA) laboratory. This matter is discussed\nmore fully in Appendix 2 of the report.\n\nMANAGEMENT COMMENTS\n\nManagement generally concurred with our findings and recommendations and in certain\ninstances indicated that corrective actions had been initiated. NNSA submitted informal\ncomments and indicated that it would develop corrective actions and monitor progress to\ncompletion. Formal Management comments are included as Appendix 4.\n\nAttachment\n\ncc:       Acting Deputy Secretary\n          Administrator, National Nuclear Security Administration\n\x0cUnder Secretary of Energy\nUnder Secretary for Science\nChief of Staff\n\x0cSPECIAL REPORT ON THE DEPARTMENT\'S UNCLASSIFIED\nFOREIGN VISITS AND ASSIGNMENTS PROGRAM\n\nTABLE OF\nCONTENTS\n\n\n    Management of Unclassified Foreign Visits and Assignments\n\n    Details of Finding ....................................................................................................1\n\n    Recommendations....................................................................................................7\n\n    Comments ................................................................................................................8\n\n\n    Appendices\n\n    1. Objective, Scope, and Methodology..................................................................9\n\n    2. Other Matter for Consideration........................................................................11\n\n    3. Prior Reports ....................................................................................................12\n\n    4. Management Comments ..................................................................................13\n\x0cMANAGEMENT OF UNCLASSIFIED FOREIGN VISITS AND\nASSIGNMENTS\n\nTracking and Hosting   Weaknesses in hosting and tracking diminished the\nForeign Nationals      effectiveness of the Department of Energy\'s (Department)\n                       Foreign Visits and Assignments Program. In particular, our\n                       review of foreign visits at four laboratories and two\n                       Headquarters offices revealed that foreign national hosts\n                       were not performing a number of required tasks.\n                       Specifically hosts did not always: (1) take action to ensure\n                       that site or facility access was properly and promptly\n                       terminated when the visit or assignment was completed;\n                       (2) become familiar with and ensure that visitors or\n                       assignees complied with individualized security plans; (3)\n                       verify the identity and validity of foreign nationals\' status\n                       information for off-site visits as required; and, (4) ensure\n                       that counterintelligence reviews were completed prior to\n                       permitting foreign nationals to access sensitive information\n                       systems and data. We also noted that a significant and\n                       continuing problem with the maintenance and accuracy of\n                       the Department\'s Foreign Access Central Tracking System\n                       (FACTS) had not been resolved.\n\n                                    Host Responsibilities and Actions\n\n                       To help reduce risk, the Department requires that a host be\n                       appointed to define and control the work and access of each\n                       visitor or assignee. Hosts are responsible for the successful\n                       conduct of the foreign visit, including keeping site officials\n                       informed of the visit or assignment status; ensuring\n                       tracking systems are kept up-to-date with accurate and\n                       complete information; and complying with visitor-specific\n                       security plans. In addition, in certain cases such as at off-\n                       site meetings, the host must obtain and/or validate foreign\n                       national status documentation, i.e. visas and passports.\n                       These required actions are particularly important because\n                       nearly all of our sampled visitors represented countries\n                       such as the People\'s Republic of China, India, and Russia \xe2\x80\x93\n                       states that are considered "sensitive" because of national\n                       security, nuclear nonproliferation, or terrorism support\n                       concerns. As detailed in the following paragraphs,\n                       however, we discovered that hosts were often not always\n                       aware of the full scope of their duties or mistakenly\n                       believed that other organizations or individuals were\n                       responsible for satisfying security requirements.\n\n\n\n\n________________________________________________________________\nPage 1                                            Details of Finding\n\x0c                      Updating Visit or Assignment Status\n\n                      Hosts at various sites told us that they had not always kept\n                      site officials informed of the status of visits or assignments\n                      as required. Many of the hosts stated that even though they\n                      were aware that a particular collaboration had ended or a\n                      need to visit a user facility no longer existed, they had not\n                      notified Foreign Visits and Assignments Program managers\n                      that the visit should be closed out and facility access\n                      terminated. We found, based on host interviews at one\n                      laboratory, that 14 of the 27 foreign nationals selected for\n                      review no longer needed site access because the visit or\n                      collaboration had been completed. For example, one\n                      assignee no longer needed access to the user facility at a\n                      particular laboratory because he was conducting his\n                      research at another laboratory. In another case, an\n                      assignee, that accepted a job in Italy, had reportedly\n                      departed the United States and was no longer involved in a\n                      project with the laboratory. Another host told us that a\n                      particular assignee had completed the work and the\n                      collaboration was no longer necessary.\n\n                      Security Plans\n\n                      Hosts were not always cognizant of and did not enforce\n                      security plans designed to restrict the access and/or scope\n                      of the visitor or assignee. For visitors and assignees from\n                      sensitive countries, a specific security plan must be\n                      developed for each foreign national. These security plans\n                      are required to address concerns such as the type of security\n                      area to be visited and types of information to be accessed.\n                      Four of the nine hosts interviewed at one Office of Science\n                      (Science) laboratory advised us that they did not have a\n                      specific security plan in their possession nor were they\n                      otherwise familiar with the content of the security plan. At\n                      another Science laboratory, 12 of 23 hosts indicated that\n                      they were unfamiliar with the specific security plans for\n                      their visitors. At both locations, many hosts said that\n                      individual security plans were maintained by an\n                      administrative staff member in their division, but the\n                      security plans were neither provided to nor read by the\n                      host.\n\n                      Validating Status Documentation\n\n                      At one National Nuclear Security Administration (NNSA)\n                      laboratory and one Headquarters office, hosts were not\n________________________________________________________________\nPage 2                                            Details of Finding\n\x0c                      always obtaining and/or validating status documents such\n                      as passports and visas for foreign visitors as required.\n                      Hosts for visitors at the NNSA laboratory were specifically\n                      required to take these actions for visitors or assignees not\n                      physically working at the laboratory; i.e., those involved in\n                      collaborations at off-site locations. In some cases, hosts\n                      arranged for this class of visitor or assignee to obtain\n                      remote access to the laboratory\'s information systems.\n                      Hosts are responsible for obtaining and providing up-to-\n                      date status documents to the foreign visits office in these\n                      instances and also examining previously-provided\n                      information to validate the identity of foreign nationals.\n\n                      At the NNSA site where foreign visitors were involved in\n                      off-site collaborations, hosts were not always obtaining\n                      immigration status information from foreign visitors. In\n                      three of four cases we reviewed involving off-site\n                      collaboration, the hosts indicated that they did not obtain\n                      up-to-date status information for visitors, nor did they\n                      provide the information to the foreign visits office. These\n                      hosts also did not visually inspect status documents. As a\n                      result, status information for these visitors did not exist or\n                      was not accurate in either the site foreign visitor tracking\n                      database or FACTS and it was uncertain that the foreign\n                      nationals were in valid status for the duration of the visit or\n                      assignment.\n\n                      During our testing at one Headquarters office, we also\n                      learned that despite Departmental security requirements to\n                      the contrary, hosts were not required by that office to\n                      visually inspect and verify passport and visa information at\n                      the time of foreign visitor arrival at Headquarters facilities.\n                      Obtaining and validating up-to-date status documents\n                      ensures that passport and visa information is correct before\n                      allowing access to Department facilities and is important to\n                      demonstrate that an individual\'s identity and authority to\n                      work are valid, access for certain activities is appropriate,\n                      and the foreign national is eligible to be in the United\n                      States. During the course of our review, the Headquarters\n                      office in question acknowledged this weakness and\n                      immediately mandated the verification of passport and visa\n                      data.\n\n                      Access to Sensitive Data\n\n                      At one NNSA laboratory, some hosts were not providing\n                      necessary information to ensure that required\n________________________________________________________________\nPage 3                                            Details of Finding\n\x0c                      counterintelligence reviews were conducted prior to\n                      permitting foreign nationals to access sensitive information\n                      systems and data. Department directives mandate that a\n                      counterintelligence review must occur for all foreign\n                      nationals who have access or potential access to sensitive\n                      information. Such information may reside on computer\n                      systems and could include categories of unclassified\n                      controlled information such as export control, proprietary,\n                      or unclassified controlled nuclear information. Hosts did\n                      not always ensure an annotation was made in the\n                      "sensitive" subject field of the laboratory\'s foreign national\n                      tracking system \xe2\x80\x93 an action that would automatically\n                      trigger the performance of needed national indices checks\n                      and local counterintelligence reviews.\n\n                                          Centralized Tracking\n\n                      Similar to the issue identified in The Department\'s\n                      Unclassified Foreign Visits and Assignments Program\n                      (DOE/IG-0579, December 2002), laboratories were still not\n                      ensuring that the Department\'s official complex-wide\n                      database for tracking all foreign national visitors and\n                      assignees was current and complete. Biographical and\n                      personal information, including passport and visa\n                      information, for each foreign visitor, is required to be\n                      entered by field sites into FACTS, the Department\'s official\n                      database. Such information contains identification\n                      numbers and passport and visa expiration dates and is\n                      critical because visitors are not authorized to be in the\n                      United States without current credentials. While field sites\n                      are allowed to maintain their own tracking systems,\n                      FACTS is the only foreign visitor tracking database\n                      authorized by the Department and is the official source\n                      used to report information to Congress and other\n                      stakeholders. Because sites are maintaining their own\n                      systems, the Department permits sites to upload data to the\n                      FACTS from site-level tracking systems to eliminate the\n                      burden of duplicate entry. Our analysis, however,\n                      established that three of the four national laboratories in our\n                      review were not ensuring that site-level information was\n                      correct in FACTS.\n\n                      Testing of FACTS data for one NNSA and two Science\n                      laboratories revealed significant and continuing problems\n                      with the accuracy of legal status documentation, such as\n                      visa and legal permanent resident information. For 104 of\n                      the 188 randomly selected visitors we reviewed, all of\n________________________________________________________________\nPage 4                                            Details of Finding\n\x0c                      which were from sensitive countries, tracking information\n                      was not properly entered, contained errors, or was not up-\n                      to-date. Specifically, 53 of the 58 sampled visitors at an\n                      NNSA laboratory, 32 of 64 sampled visitors at one Science\n                      laboratory, and 19 of 66 sampled visitors at another Science\n                      laboratory either contained no legal status information or\n                      such data was out-of-date.\n\n                      Additionally, the three laboratories were not ensuring that\n                      visits were closed in FACTS within the prescribed 15 day\n                      timeframe. Of the 179 completed visits we evaluated, 96\n                      had not been closed within the prescribed time period. The\n                      table below illustrates the number of days taken to\n                      officially close each visit associated with our sampled\n                      foreign national visitors.\n\n                                    Number of Days to Close Visit or\n                                    Assignment\n                                       15 or    16-     Over        Total\n                                      Fewer     90       90\n                       Science          23       19      11          53\n                       Laboratory\n                       Science            19         17        0           36\n                       Laboratory\n                       NNSA               41         12       37           90\n                       Laboratory\n                       Totals             83         48       48           179\n\n                      It is important to note that 24 visits or assignments\n                      remained open for more than a year after they should have\n                      been closed.\n\n                      In a related issue, at both of the Science laboratories,\n                      visitors and assignees were often given access to the sites\n                      for a two-year time period although they may or may not be\n                      at the site for that entire duration. This practice was used\n                      primarily to accommodate visits to user facilities for which\n                      actual visit dates were unknown at the initiation of the visit\n                      or assignment. In many cases, the purpose for the initial\n                      visit may be accomplished in less time, but the visit is not\n                      "closed" until the end of the two-year period. As a\n                      consequence, visitors or assignees unnecessarily retain their\n                      security badges and have the ability to access the site for\n                      the entire two-year period.\n\n\n\n\n________________________________________________________________\nPage 5                                            Details of Finding\n\x0cDepartmental Foreign   Hosting and tracking weaknesses existed because:\nNational Tracking      (1) site foreign visits and assignments managers were not\nand Hosting            validating that hosts were meeting established\nRequirements           requirements; and, (2) neither field sites nor Headquarters\n                       officials were conducting basic data comparisons.\n                                         Validating Host Activities\n\n                       Although host-specific training existed, laboratories in our\n                       review were not validating that hosts were effectively\n                       fulfilling their responsibilities. Each of the laboratories\n                       required specific training to qualify individuals to host\n                       foreign nationals. Training generally covered requirements\n                       regarding notification of visit or assignment end dates,\n                       familiarity with specific security plans, and information\n                       hosts should be providing, such as a need for access to\n                       sensitive information. While all hosts we interviewed had\n                       received the applicable training, they were not meeting\n                       many of their hosting requirements and responsibilities.\n\n                                            Data Comparisons\n\n                       Organizations also did not take action to ensure that foreign\n                       visit information was correct and/or periodically\n                       reconciled. Based on the extensive differences identified in\n                       our comparison of site-level foreign visit information to\n                       data in FACTS, we concluded that field sites were not\n                       conducting basic comparisons of data maintained in their\n                       own tracking systems to that in FACTS. Our work\n                       demonstrated that even basic visual data checks \xe2\x80\x93 such as\n                       comparing the expiration dates of visas between the\n                       systems \xe2\x80\x93 would have revealed inadequacies with data in\n                       FACTS. Further, while FACTS had the capability to sort\n                       and search data, the Office of Health, Safety and Security\'s\n                       (HSS) Office of Foreign Visits and Assignments had not\n                       built basic edit checks into FACTS and was not otherwise\n                       using program tools to identify problems such as visa\n                       expiration dates that preceded end visit dates or visits that\n                       did not have visa information at all. For example, a review\n                       of FACTS data from one Office of Science site revealed\n                       that visas for 15 of 66 visitors in our sample had expired\n                       before their visits even began.\n\nMitigating Security    Weaknesses in the Department\'s foreign visits and\nRisks                  assignments program increase the security risk for the\n                       Department\'s facilities and information. For example, at\n                       least one visitor accessed a laboratory using a valid\n                       identification badge on two occasions the month after his\n________________________________________________________________\nPage 6                                            Details of Finding\n\x0c                     assignment had been revoked. Site officials were unaware\n                     of the unauthorized access until we brought it to their\n                     attention.\n\n                     The unauthorized access is exacerbated by the fact that the\n                     same visitor\'s background check had expired four months\n                     prior to the two unauthorized visits, which were made after\n                     the site\'s normal operating hours. Due to the fact that\n                     foreign national maintained an active visit and security\n                     badge in laboratory systems, he was able to access the site\n                     without question. Neither the host nor other site officials\n                     could explain his purpose or whereabouts on the site. The\n                     situation could have been avoided had the visit been closed\n                     and site access terminated at the same time the assignment\n                     was revoked.\n\n                     While the Department must adhere to its mission to foster\n                     and advance scientific research and development,\n                     minimizing risks is important because the national\n                     laboratories hold some of our most valuable national\n                     security assets. Research essential to our national defense\n                     relies increasingly on unclassified science and technology,\n                     and thousands of foreign nationals from institutions around\n                     the world interact with laboratory employees at Department\n                     facilities. While we recognize that documenting and\n                     tracking foreign national visitors and assignees requires\n                     additional attention and effort at the site-level, the risk or\n                     damage to the Nation\'s security interests demand vigilance.\n                     The Department must ensure that it maintains needed\n                     information and is prepared to respond to inquires in a\n                     timely manner.\n\n\nRECOMMENDATIONS      To help ensure that Department requirements for foreign\n                     national accountability, access and control are\n                     comprehensively detailed and consistently applied, we\n                     recommend that the Administrator, NNSA and the Under\n                     Secretary for Science require that field sites:\n\n                          1. Ensure hosts are meeting requirements for\n                             updating visit status, familiarizing themselves\n                             with specific security plans, validating status\n                             documentation as necessary, and providing full\n                             details of required sensitive information access;\n\n\n\n\n________________________________________________________________\nPage 7                                          Recommendations\n\x0c                          2. Take immediate action to close completed visits\n                             or assignment in FACTS and terminate access to\n                             sites and facilities that is no longer required; and\n\n                          3. Ensure required foreign visitor and assignee\n                             information is accurate and complete in FACTS.\n\n                     To help ameliorate increased risks associated with foreign\n                     national interaction and ensure that complete status\n                     information is available, we recommend that the Chief\n                     Health, Safety and Security Officer:\n\n                          4. Require that the Office of Foreign Visits and\n                             Assignments implement data comparisons,\n                             including edit checks and/or error reports\n                             generated on a periodic basis, to help ensure that\n                             information entered into FACTS is accurate and\n                             complete.\n\n\nMANAGEMENT           Management agreed with the information in the report\nREACTION             and generally concurred with each of the specific\n                     recommendations. In a joint response, the Offices of\n                     Science and HSS provided comments on intended actions.\n                     Science is taking immediate action to work with its\n                     Integrated Support Center to close visits and assignments\n                     that are no longer required. Additionally, Science will\n                     work closely with field sites and HSS in implementing the\n                     additional recommendations. HSS responded that its\n                     Office of Foreign Visits and Assignments had already\n                     begun development of a FACTS modification to add edit\n                     checks and error reports to reject the entry of inaccurate\n                     and/or incomplete information. In its informal comments,\n                     NNSA indicated that it concurred with the findings and\n                     recommendations and pledged to take necessary corrective\n                     actions. It did not, however, provide a corrective action\n                     plan.\n\n\nAUDITOR              Management\'s comments are responsive to our\nCOMMENTS             recommendations.\n\n\n\n\n________________________________________________________________\nPage 8                                                 Comments\n\x0cAppendix 1\n\nOBJECTIVE             The objective of our review was to determine whether the\n                      Department of Energy (Department) had improved the\n                      management of its Foreign Visits and Assignments Program.\n\nSCOPE                 The review was performed at Headquarters and four national\n                      laboratories, two managed by the Office of Science (Science)\n                      and two managed by the National Nuclear Security\n                      Administration (NNSA), from August 2006 through February\n                      2008. The universe of our samples consisted of foreign\n                      national visitors, assignees, and employees at those sites from\n                      October 2004 through May 2007.\n\nMETHODOLOGY           To accomplish our objective, we:\n\n                         \xe2\x80\xa2   Reviewed Department and site-specific policies,\n                             procedures, and training materials related to\n                             unclassified foreign national visits and assignments;\n\n                         \xe2\x80\xa2   Reviewed lists of foreign national visitors, assignees,\n                             and employees provided by the Department\'s Foreign\n                             Access Central Tracking System, site badge systems,\n                             and site foreign visits and assignment systems;\n\n                         \xe2\x80\xa2   Randomly selected samples of 66 sensitive country\n                             foreign national visitors, assignees, and employees from\n                             one Science-managed laboratory, 64 from the other\n                             Science-managed laboratory, and 58 from the NNSA-\n                             managed laboratory;\n\n                         \xe2\x80\xa2   Judgmentally selected a sample of 100 sensitive and\n                             non-sensitive country foreign national visitors and\n                             assignees from the other NNSA-managed laboratory;\n\n                         \xe2\x80\xa2   Randomly selected samples of 55 and 54 visitors and\n                             assignees from each of the Headquarters offices\n                             selected for review;\n\n                         \xe2\x80\xa2   Reviewed supporting documentation for our sample of\n                             foreign national visitors, assignees, and employees;\n\n                         \xe2\x80\xa2   Interviewed officials from the Headquarters Office of\n                             Foreign Visits and Assignments, Counterintelligence,\n                             and selected site security, foreign visits, and\n                             Counterintelligence offices to gain and understanding\n                             of roles, responsibilities, and procedures; and,\n\n________________________________________________________________\nPage 9                             Objective, Scope, and Methodology\n\x0cAppendix 1 (continued)\n\n                          \xe2\x80\xa2   Interviewed officially-designated foreign national hosts\n                              judgmentally selected from our samples to obtain\n                              supporting information on visitors or assignees.\n\n                       We assessed performance measures established under the\n                       Government Performance and Results Act of 1993. While\n                       specific performance measures concerning foreign visits and\n                       assignments did not exist, performance in this regard was\n                       either measured by each laboratory\'s safeguards and securities\n                       reviews or will be enhanced with the implementation of our\n                       recommendations and suggestions.\n\n                       Management waived an exit conference.\n\n\n\n\n________________________________________________________________\nPage 10                             Objective, Scope, and Methodology\n\x0cAppendix 2\n\n                    OTHER MATTERS FOR CONSIDERATION\n\n\nIn addition to weaknesses identified in the overall unclassified Foreign Visits and\nAssignments Program discussed in this report, we also identified an additional cyber-\nspecific issue at one of the National Nuclear Security Administration (NNSA)\nlaboratories in our review. Specifically, the laboratory had not fully mitigated the risk of\nforeign nationals gaining unauthorized access to its unclassified Intranet.\n\nOfficials at one NNSA laboratory indicated that security features on many laboratory\ndesktop and laptop computers used by foreign national visitors and assignees were not\nalways implemented. We learned from laboratory security officials that software controls\ndesigned to prevent foreign nationals from circumventing security features were\nimplemented on laboratory computers assigned to sensitive country foreign nationals.\nThese controls were not, however, implemented on most computers assigned to non-\nsensitive country foreign nationals. According to officials, users circumventing security\nfeatures on computers could modify log-on settings, load unauthorized software, remove\nsoftware, and change computer settings \xe2\x80\x93 ultimately permitting unauthorized access to\nthe laboratory\'s information systems.\n\nLaboratory officials also revealed that some foreign visitors and assignees enjoyed\nunsupervised use of their foreign government, university, or business laptops in\nlaboratory facilities with live Intranet connections. Both Department and laboratory\npolicy allows both U.S. citizens and non-sensitive country foreign nationals to bring their\ngovernment, business, or university laptop computers on to the site for unclassified,\nstand-alone use. Counterintelligence officials at the laboratory told us that they were\nconcerned with the current practice because foreign nationals could connect their\ncomputer equipment to the laboratory\'s Intranet without authorization. These\nconnections pose a threat and could permit the foreign nationals to download large\namounts of data, probe the network for vulnerabilities, and implant malicious code.\n\nSUGGESTIONS FOR IMPROVEMENT\n\nTo help decrease the risk associated with foreign national data access and computer\noperation, we suggest that NNSA require the laboratory to:\n\n   1. Strengthen security and access controls for computers operated by foreign\n      nationals to help prevent or detect unauthorized or malicious use; and,\n\n   2. Specifically restrict the connection of all non-U.S. Government owned equipment\n      to the laboratory\'s network and Intranet.\n\n\n\n\n______________________________________________________________\nPage 11                              Other Matters for Consideration\n\x0cAppendix 3\n\n                                  PRIOR REPORTS\n\nOffice of Inspector General\n\n   \xe2\x80\xa2   The Department\'s Unclassified Foreign Visits and Assignments Program\n       (DOE/IG-0579, December 2002). That audit identified three deficiencies in\n       adequately controlling unclassified visits and assignments at two national\n       laboratories. Those deficiencies included failures to ensure that: (1) all foreign\n       nationals had current passports and visas; (2) foreign nationals were not granted\n       site access prior to official approval and before background checks or\n       counterintelligence consultations were completed; and, (3) sufficient information\n       was provided to the Department of Energy\'s (Department) centralized tracking\n       system, which was designed to facilitate complex-wide tracking of the status of\n       foreign nationals.\n\n   \xe2\x80\xa2   Our office conducted a series of annual Inspections from 2000 \xe2\x80\x93 2006 of export\n       licensing controls in the Department. These inspections were also part of an\n       effort with other agencies that conduct these activities such as Commerce,\n       Defense, and Homeland Security. The most recent inspection, The Department of\n       Energy\'s Review of Export License Applications for China (DOE/IG-0723, April\n       2006), concluded that the export license review process to control the export of\n       critical technologies to China was appropriate and consistent with existing\n       procedures. However, it also noted that access by Department officials\n       conducting license reviews to end user-review information maintained by one\n       National Nuclear Security Administration laboratory could be improved, and\n       included a recommendation to address the concern. Additionally, it reported that\n       12 of 15 recommendations made in the earlier Inspections had been closed, but\n       that export control guidance still needed to be consistently implemented\n       throughout the Department complex and appropriate action was necessary to\n       ensure that licensing officers have access to and proper training in the use of the\n       Department of Commerce\'s Export Control Automated Support System.\n\n\n\n\n________________________________________________________________\nPage 12                                              Prior Reports\n\x0cAppendix 4\n\n\n\n\n________________________________________________________________\nPage 13                                     Management Comments\n\x0cAppendix 4 (continued)\n\n\n\n\n________________________________________________________________\nPage 14                                     Management Comments\n\x0c                                                             IG Report No. DOE/IG-0791\n\n                       CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of\nits products. We wish to make our reports as responsive as possible to our customers\'\nrequirements, and, therefore, ask that you consider sharing your thoughts with us. On the\nback of this form, you may suggest improvements to enhance the effectiveness of future\nreports. Please include answers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding\n   this report?\n\n2. What additional information related to findings and recommendations could have\n   been included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s\n   overall message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the\n   issues discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should\n   we have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector\nGeneral at (202) 586-0948, or you may mail it to:\n\n                           Office of Inspector General (IG-1)\n                                 Department of Energy\n                                Washington, DC 20585\n\n                              ATTN: Customer Relations\n\n\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Judy Garland-Smith (202) 586-7828.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n              U.S. Department of Energy Office of Inspector General Home Page\n                                  http://www.ig.energy.gov\n\n  Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'